The etcd service protocol is currently configured with internal_protocol.
The etcd service is not load balanced by a HAProxy container, so
there is no proxy layer to do TLS termination when internal_protocol
is configured to be "https".

Until the etcd service is configured to deploy with native TLS
termination, the etcd uses should be independent of
internal_protocol, and "http" by default.

Change-Id: I730c02331514244e44004aa06e9399c01264c65d
Closes-Bug: 1884137

The double quotation is not necessary for include_tasks, this
ps to cleanup it.

Change-Id: I0701035d185fdf19286cced7fe51fc277511e4c1

Recently a patch [1] was merged to stop adding the octavia user to the
admin project, and remove it on upgrade. However, the octavia
configuration was not updated to use the service project, causing load
balancer creation to fail.

There is also an issue for existing deployments in simply switching to
the service project. While existing load balancers appear to continue to
work, creating new load balancers fails due to the security group
belonging to the admin project. At a minimum, the deployer needs to
create a security group in the service project, and update
'octavia_amp_secgroup_list' to match its ID. Ideally the flavor and
network would also be recreated in the service project, although this
does not seem to impact operation and will result in downtime for
existing Amphorae.

This change adds a new variable, 'octavia_service_auth_project', that
can be used to set the project. The default in Ussuri is 'service',
switching to the new behaviour. For backports of this patch it should be
switched to 'admin' to maintain compatibility.

If a deployer sets 'octavia_service_auth_project' to 'admin', the
octavia user will be assigned the admin role in the admin project, as
was done previously.

Closes-Bug: #1882643
Related-Bug: #1873176

[1] https://review.opendev.org/720243/



Co-Authored-By: Mark Goddard <mark@stackhpc.com>

Change-Id: I1efd0154ebaee69373ae5bccd391ee9c68d09b30

Replaced "kolla_external_fqdn_cacert" and "kolla_internal_fqdn_cacert" with
"kolla_admin_openrc_cacert". OS_CACERT is now set to the value of
"kolla_admin_openrc_cacert" in the generated admin-openrc.sh file.

Change-Id: If195d5402579cee9a14b91f63f5fde84eb84cccf
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/#/c/731344/

Update the certificate generation task to create a root CA for the
self-signed certificates. The internal and external facing certificates
are then generated using the root CA.

Updated openstack_cacert to use system CA trust store in CI tests
certificate by default.

Change-Id: I6c2adff7d0128146cf086103ff6060b0dcefa37b
Partially-Implements: blueprint add-ssl-internal-network

During an upgrade from Stein to Train, Kolla Ansible fails while running
TASK [cinder : Running Cinder online schema migration]

This is because the `--max_count 10` option is used, which returns 1
while migrations are processed. According to the upgrade documentation,
the command should be rerun while the exit status is 1:
https://docs.openstack.org/cinder/train/upgrade.html

This issue was introduced by a change to the image [1] which fixed a bug
in the way that the max count was interpreted, but exposed an issue in
using the max count.

This change fixes the issue by ceasing to pass MAX_NUMBER, which will
cause all migrations to occur in a single pass.

[1] https://review.opendev.org/#/c/712055

Change-Id: Ia786d037f5484f18294188639c956d4ed5ffbc2a
Closes-Bug: #1880753

This patch is removing chrony package
from docker host when containerized chrony is enabled.
It is also fixing issue with chrony container running
under Ubuntu docker host as noted below.

+ exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied

Added also removal apparmor profile for ubuntu when
containerized chrony is enabled, as chrony's package
is not removing apparmor profile, and therefore
containerized chrony is not working.

Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
Closes-Bug: #1882513

Grafana changed the error message wording.
Match on the shortest sane string to play it safe.

Change-Id: Ic175ebdb1da6ef66047309ff07bcbba98fc67008
Closes-Bug: #1881890

related to newly introduced merge mechanism.
1) Per-host overrides cannot be run_once.
2) Since merge_yaml is silent about missing files, it ignored
   the fact that no proper file was given due to wrong variable
   being referenced (see the closed bug).

Change-Id: I6db4af4c6e3364838bdae510f300038b0c1560b0
Closes-Bug: #1882460

There's a logic error here, we call nova role from nova.yml file
under ansible folder. we should clone code before run
bootstrap_service task. if not, /opt/stack/nova which is empty
will mount to nova_api container.

Change-Id: Icc54c15080db9c2dc92709480e00b990e5a88662

planned task removal

Change-Id: I613794667b8c08f524a69e7e3f447b2217efb3f7

When installing kolla with external ceph, ceph_cinder_user
var has to be set per documentation instead of ceph_cinder_volume_user.
This value is also rendered in example etc/kolla/globals.yml file.

This patch is fixing this bug or, let's say typo.

Change-Id: Id82b07867f4bc0e5d5e56363f0122014df6892bc

Change-Id: Id43627c6b6d305d0efbdd27ac5a2efbd5bee9107

Provides mechanism to deploy custom skydive.conf files.

Change-Id: I3033b6268a2e955f3e86b1b7000db17c1bb18c47

Since the Victoria released, the unnecessary task should be clean up.

Change-Id: Idd2a05ed0594dcca6fa9881dee63f5550cb6dc0e

Change-Id: Iea3f4f3d2e5c6040c1e0bc7bfae8719cc7d8ac55

This was missed in the original patch.

Change-Id: I991b0563560cf4a0b1feb718951ffdf21ab81856

non-root user has no permission to create directory under /opt
directory. use "become: true" to resolve it.

Change-Id: I155efc4b1e0691da0aaf6ef19ca709e9dc2d9168

Fixed on ``Copying VMware vCenter CA file`` and ``Copying over nsx.ini``.

Change-Id: If909f59e7e4b241594c6b2567784ecad23e74226
Closes-Bug: #1882252

Change-Id: I8633f7d250f331ca96788d8f4796889c3c312406
Closes-Bug: #1882259

STATIC_ROOT in local_settings.py should be configured
to path which is also configured in apache's config.

For debian, ubuntu binary setup it is
/var/lib/openstack-dashboard/static.

Reason why it is "accidentaly" working is:

For debian package:
Package is overriding STATIC_ROOT in
/etc/openstack-dashboard/local_settings.d/_0003_debian_static_root.py.
But this is going to be removed from settings in
https://review.opendev.org/733607.

For ubuntu package:
Ubuntu package is adding patch to package which is including
PYTHON_PATH do /usr/share/openstack-dashboard/
And also they are creating several dirty symlinks to get it working.

This patch is fixing this behaviour more clearly.

Change-Id: I9862ac7ab462ca9018b684d63f26458ddda9f73a

backport: ussuri, train

Without this the container returns an empty response.

Change-Id: Ic36845f3fc625c080c92904b58ace070dd24fbb2
Closes-Bug: #1881784

The __future__ module [1] was used in this context to ensure compatibility
between python 2 and python 3.

We previously dropped the support of python 2.7 [2] and now we only support
python 3 so we don't need to continue to use this module and the imports
listed below.

Imports commonly used and their related PEPs:
- `division` is related to PEP 238 [3]
- `print_function` is related to PEP 3105 [4]
- `unicode_literals` is related to PEP 3112 [5]
- `with_statement` is related to PEP 343 [6]
- `absolute_import` is related to PEP 328 [7]

[1] https://docs.python.org/3/library/__future__.html
[2] https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html
[3] https://www.python.org/dev/peps/pep-0238
[4] https://www.python.org/dev/peps/pep-3105
[5] https://www.python.org/dev/peps/pep-3112
[6] https://www.python.org/dev/peps/pep-0343
[7] https://www.python.org/dev/peps/pep-0328

Change-Id: I907008ff4102806a6f7c88572f89f3beb500d9d7

Fix glance configuration task to create the backend PEM only on hosts with
glance service enabled.

Change-Id: I641c51761a99828854aafcc1e7354d6932d86659

The Monasca Log API has been removed and in this change we switch
to using the unified API. If dedicated log APIs are required then
this can be supported through configuration. Out of the box the
Monasca API is used for both logs and metrics which is envisaged to
work for most use cases.

In order to use the unified API for logs, we need to disable the
legacy Kafka client. We also rename the Monasca API config file
to remove a warning about using the old style name.

Depends-On: https://review.opendev.org/#/c/728638
Change-Id: I9b6bf5b6690f4b4b3445e7d15a40e45dd42d2e84

Since at least Stein, there is no visible effect from these tasks.
The Kibana dashboard seems to be working exactly the same,
greeting user on the first use with "please configure my index".
I tested on both Ubuntu and CentOS.
In new E*K stack (Ussuri+, CentOS8+) it even causes play errors.

Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Change-Id: Iafc6986cce9cbaa0ea9e219ca85d7d01a61308cf
Closes-Bug: #1799689

you might refer to:
https://github.com/gophercloud/utils/blob/b0167b94122ca14ce50258a760b4e9b22788f0d7/openstack/clientconfig/results.go#L41

Change-Id: Ia326360c412aad9ca4d1735cc6486aa2fce22c1a
Closes-Bug: #1850812

Depends-On: https://review.opendev.org/710217/

Change-Id: I85652f23e487c40192106d23f2cdd45a3077deca

bump api version to v2[1]

[1]: https://review.opendev.org/#/c/700102/

Change-Id: I799f126a30081a85da4f3c41ce705c3756bbe6ba

Change-Id: Ib0916626b969336ec4bb43028f95f901d5c8cb91

* Reworked tox pep8 into linters job, that runs:
  - pep8
  - bandit
  - bashate
  - doc8
  - yamllint
  - ansible-lint (validate-all-files.py + ansible-lint)

* Skip E701 - missing galaxy_info in meta and E602 see [1].
* Skip E301 and E503 - followup later in a separate change
* Added ansible-role-jobs to zuul.d/project.yaml which will run
  openstack-tox-linters job in check queue
* Fixed remaining style issue
* Made tox and docs reference the new env for linters
* Dropped pype environment (not supported)

[1]: https://github.com/ansible/ansible-lint/issues/457

Change-Id: I494b4b151804aac8173120e6c6e42bc2fdb00234

Change-Id: Ic0d0543b6ad93743eae2a144e8a3b07de54e6d96
Closes-Bug: #1878344

The pre-check was broken, see bug report for details.

Change-Id: I089f1e288bae6c093be66181c81a4373a6ef3de4
Closes-Bug: #1856021

Change-Id: I812665059783617d581d748e619b29426f89b353

The RabbitMQ 'openstack' user has the 'administrator' tag assigned via
the RabbitMQ definitions.json file.

Since the Train release, the nova-cell role also configures the RabbitMQ
user, but omits the tag. This causes the tag to be removed from the
user, which prevents it from accessing the management UI and API.

This change adds support for configuring user tags to the
service-rabbitmq role, and sets the administrator tag by default.

Change-Id: I7a5d6fe324dd133e0929804d431583e5b5c1853d
Closes-Bug: #1875786

The refactor in change I500cc8800c412bc0e95edb15babad5c1189e6ee4
broke the task `Enable Monasca Grafana datasource for control
plane organisation`. This change fixes the brackets.

Change-Id: I9167a312be107fbfddfd07740f67845c2eaafc3d
Closes-Bug: 1878878

Fix Heat WSGI logging directives and correct access log name.

Change-Id: Iac09e481ae46934fc26300eba8c5d81ccd0504e8
Partially-Implements: blueprint add-ssl-internal-network

Change-Id: I797bb5997e6a3391e82bff766c96f7855de4adc4
Closes-bug: #1878325

Keystone was not loading the correct mod_ssl library in centos 8
deployment.

Change-Id: I604d675ba7ad28922f360fdc729746f99c1507b4
Partially-Implements: blueprint add-ssl-internal-network

This patch introduces an optional backend encryption for the Barbican
API service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Barbican service.

Change-Id: I62a43b36ebe4a03230bf944980b45e4b6938871b
Partially-Implements: blueprint add-ssl-internal-network